Kerberos Direct Service Authentication without Client / KDC Communication?

[Michael B Allen]

Hi All,

Is there a mode of operation where a Kerberos client can directly
authenticate with a service without first communicating with a KDC?

Kerberos currently requires that clients are using a suitable DNS
server, have access to whatever KDCs DNS is referring it to and have
relatively accurate time. In many environments these requirements are
too demanding.

There should be a mode of operation where a client can compose a
kerberos request without communicating with the KDC, DNS or time
services and which can be submitted directly to a Kerberos service.
This request would contain information about the client principal and
target principal and would be encrypted using the client principal
secret key known only to the client and the KDC. The Kerberos service
accepting this ticket could compose a request containing the client's
request and pass this to a KDC as a sort of AS-REQ. In return the
service would receive either an error (such as indicating that the
client request could not be successfully decrypted) or a service
ticket with the usual fields like authorization-data and possibly a
TGT that would be equivalent to a TGT that a client might normally
submit through delegation. The service would then pass the service
ticket down to the client to indicate that authentication was
successful.

The objective is to have the Kerberos service act as a proxy to the
KDC so as to release the client from impractical communication and
configuration requirements. The client should only need to know the
shared secret.

If such a thing does not already exist, I think it should.

Mike